b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n             OIG REPORT TO OMB\n          ON NCUA COMPLIANCE WITH\n          GOVERNMENT INFORMATION\n            SECURITY REFORM ACT\n                    2002\n\n      Report #OIG-02-12        September 16, 2002\n\n\n\n\n                Acting Inspector General:\n\n\n\n\n                   Auditor in Charge:\n\n\n\n\n                          h\n\x0c                 NATIONAL CREDIT UNION ADMINISTRATION\n                     OFFICE OF INSPECTOR GENERAL\n              OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n             GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2002\n\n                              EXECUTIVE SUMMARY\n\n\nThe Government Information Security Reform Act (GISRA), Public Law 106-398,\nrequires Inspectors General (IG) to perform independent evaluations to:\n\n   \xe2\x80\xa2   Assess compliance with GISRA and agency security policies and procedures;\n       and\n   \xe2\x80\xa2   Test effectiveness of information security control techniques for a subset of the\n       agency\xe2\x80\x99s information systems.\n\nThe NCUA OIG performed three reviews during the reporting cycle that tested\neffectiveness of information security and internal controls:\n\n   \xe2\x80\xa2   On March 7, 2002, the OIG issued a report containing an Evaluation of Project\n       Risks Associated with an Upgrade to Comprehensive Human Resources\n       Integrated System (CHRIS). The purpose of our review was to determine\n       whether NCUA had mitigated the project risks of a major HR system upgrade by\n       performing appropriate analysis, planning, and monitoring. The focus of this\n       review was intended to provide reasonable assurance regarding the design and\n       effectiveness of controls over systems and procedures. Our review identified\n       several system migration weaknesses. We reported that these weaknesses\n       could lead to overall increased project risk, NCUA needs/requirements not being\n       met, the planned implementation timeframe not being met, increased security\n       and system access risks, and expanding costs. According to NCUA, the\n       conversion was successfully completed in Spring 2002.\n\n   \xe2\x80\xa2   On March 31, 2002, the OIG issued the Financial Statement Audit Report for the\n       year ended December 31, 2001. The purpose of this audit was to express an\n       opinion on whether the financial statements were fairly presented. In addition,\n       the internal control structure was reviewed and an evaluation of compliance with\n       laws and regulations was performed as part of the audit. The result of this audit\n       was an unqualified opinion, stating that the financial statements were presented\n       fairly. Although there were no material weaknesses identified during the review\n       of the internal control structures pertinent to financial reporting, eighteen\n       recommendations were made relating to weaknesses in the area of information\n       security.\n\n   \xe2\x80\xa2   On September 16, 2002, the OIG issued a report containing an evaluation of\n       NCUA\xe2\x80\x99s compliance with the Government Information Security Reform Act.\n       Although NCUA has not achieved full compliance with GISRA, the agency has\n       made significant progress toward that goal. NCUA has established the basis for\n       an improved information security program, which if properly implemented and\n\n\n                                          1\n\x0c                     NATIONAL CREDIT UNION ADMINISTRATION\n                          OFFICE OF INSPECTOR GENERAL\n                 OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                          2002\n       maintained over time should meet the goals set forth by GISRA. NCUA has\n       appointed a Security Officer to oversee the security program. During the past\n       year, the Security Officer has coordinated the completion of risk assessments\n       and security plans for most of NCUA\xe2\x80\x99s systems. In addition, NCUA has made\n       acceptable progress in correcting information security issues previously identified\n       in other reviews.\n\nThe overall objective of this review was to perform an independent evaluation as\nrequired by GISRA in order to assess compliance with GISRA and agency security\npolicies and procedures. To fulfill the objectives of the review, we performed a detailed\nreview of NCUA\xe2\x80\x99s risk assessments, security plans, and other relevant documents\nwhere available. In addition, we interviewed each of the designated systems business\nowners in order to execute a compliance gap analysis for each of the major computer\nsystems. The procedures also included reviewing available documentation to\ndetermine:\n\n   \xe2\x80\xa2   The level of compliance for each of the critical elements under review;\n   \xe2\x80\xa2   Items requiring a corrective action pla n; and\n   \xe2\x80\xa2   Accepted risks associated with each system.\n\nThe NCUA Office of Inspector General (OIG) determined that NCUA is actively working\ntowards compliance with GISRA. The following represents the agency\xe2\x80\x99s status toward\ncompliance with key GISRA provisions as of August 2002:\n\n   \xe2\x80\xa2   NCUA established policies and procedures for an agency-wide security program.\n       In February 2002, the Executive Director issued an instruction to all staff outlining\n       the security responsibilities of the CIO, Offices of Primary Interest, and\n       Information Security Officer. NCUA also prepared a document with Information\n       Security Procedures. The goal of this document is to establish the procedures\n       used by NCUA to create and maintain an agency-wide security plan. This plan\n       will provide the basis for a high-level oversight of all security efforts, ensure that\n       all security measures are well coordinated, and will provide an operating\n       framework for all more specific security plans.\n\n   \xe2\x80\xa2   NCUA is in the process of updating its Continuity of Operations Plan. In addition,\n       the disaster recovery plan was tested successfully. Although the infrastructure\n       disaster recovery plan covers the recoverability of the systems, business owners\n       have not documented a business continuity plan for processes supported by their\n       systems. Most of the system owners verbally communicated to us the steps they\n       would take should their system become unavailable; however, these processes\n       are not documented for someone other than the business owner to carry out.\n\n\n\n\n                                           2\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                      OFFICE OF INSPECTOR GENERAL\n               OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2002\n\n   \xe2\x80\xa2   The CIO and Information Security Officer had oversight over the agency-wide\n       security program and ensured effective implementation by working with program\n       officials. The CIO and Security Officer assisted agency program officials with\n       their risk assessments and security plans.\n\n   \xe2\x80\xa2   The CIO contracted with an independent public accounting firm to perform a\n       penetration test. The results of the penetration test did not reveal any material\n       security weaknesses.\n\n   \xe2\x80\xa2   NCUA program officials performed risk assessments on eighteen systems, plus\n       an additional system\xe2\x80\x99s risk assessment was performed subsequent to our review.\n\n   \xe2\x80\xa2   NCUA program officials developed eighteen security plans for each system they\n       under their control, and one additional system\xe2\x80\x99s security plan was developed\n       subsequent to our review.\n\n   \xe2\x80\xa2   NCUA program officials need to perform periodic management testing of controls\n       for their systems as required by GISRA.\n\n   \xe2\x80\xa2   NCUA needs to perform due diligence reviews to ensure adequate security steps\n       have been taken for systems and services provided by other government\n       agencies and contractors.\n\n   \xe2\x80\xa2   For the reporting cycle, NCUA provided security training to personnel with\n       significant security responsibilities. Security awareness training was provided to\n       most employees during a bi-annual regional conference sponsored by NCUA. In\n       addition, new examiners are provided with basic computer training, which\n       includes security awareness. NCUA plans to use their video taped regional\n       conference presentation for contractors and new non-examiner personnel.\n\n   \xe2\x80\xa2   A formal incident response capability has been documented, but still needs to be\n       implemented.\n\n   \xe2\x80\xa2   NCUA plans to develop and implement an intrusion detection system by the end\n       of 2002.\n\nThe OIG made specific recommendations to management that address concerns\nidentified during this review.\n\n\n\n\n                                           3\n\x0c                 NATIONAL CREDIT UNION ADMINISTRATION\n                     OFFICE OF INSPECTOR GENERAL\n              OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n             GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2002\n\n OMB QUESTIONS with\n OIG RESPONSE\n\nThe Office of Management and Budget (OMB) has requested OIGs to submit the results\nof their independent evaluation by responding specifically to questions in OMB\nMemorandum M-02-09. The following presents our evaluation of the National Credit\nUnion Administration\xe2\x80\x99s (NCUA) compliance with GISRA. While the OCIO shared its\npreliminary draft report to OMB with the OIG, there was insufficient time to verify the\ncontent of the agency\xe2\x80\x99s submission to OMB.\n\nA. General Overview\n\n  1. Identify the agency\xe2\x80\x99s total security funding as found in the agency\xe2\x80\x99s FY02 budget request,\n     FY02 budget enacted, and the President\xe2\x80\x99s FY03 budget.\n\n             No OIG evaluation required.\n\n  2. Identify and describe as necessary the total number of programs and systems in the\n     agency, the total number of systems and programs reviewed by the program officials,\n     CIOs, or IGs in both last year\xe2\x80\x99s report (FY01) and this year\xe2\x80\x99s report (FY02) according to\n     the format provided below. Agencies should specify whether they used the NIST self-\n     assessment guide or an agency developed methodology. If the latter was used, confirm\n     that all elements of the NIST guide were addressed.\n\n             During 2001, NCUA did not identify programs for this purpose. NCUA\n             identified seven mission critical systems that did not include other critical\n             systems that were maintained by other agencies such as the agency\xe2\x80\x99s\n             personnel processing system, payroll system, time and attendance\n             system, and disbursement system. NCUA\xe2\x80\x99s program officials and CIO did\n             not perform any program reviews during 2001. The OIG performed two\n             independent evaluations that included information security and internal\n             controls during the 2001 reporting period: SAP Security Review and 2000\n             Financial Statement Audits. Both independent evaluations included\n             NCUA\xe2\x80\x99s core financial system, which is one of the agency\xe2\x80\x99s mission\n             critical systems.\n\n             During 2002, NCUA determined there is one program supported by\n             nineteen systems, which include the systems that were left out of the 2001\n             GISRA reporting cycle. Program officials and the CIO prepared eighteen\n             security plans and performed eighteen risk assessments using NIST SP\n             800-26. The CIO contracted with an independent public accounting firm to\n             perform a penetration test, which disclosed no material weaknesses.\n             However, program officials have not independently tested or validated\n             security controls over their respective systems.\n\n\n                                            4\n\x0c                  NATIONAL CREDIT UNION ADMINISTRATION\n                      OFFICE OF INSPECTOR GENERAL\n               OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n              GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                   2002\n\n              During the 2002 reporting period, the OIG performed three independent\n              evaluations that evaluated information security and internal controls: 2001\n              Financial Statement Audits, Evaluation of Project Risks Associated with\n              Upgrade to Comprehensive Human Resources Integrated System, and\n              Independent Evaluation of NCUA\xe2\x80\x99s Information Security Program.\n\n                                                                      FY01     FY02\n      a.   Total number of agency programs.                            0        1\n      b.   Total number of agency systems.                             7        19\n      c.   Total number of programs reviewed.                          0        0\n      d.   Total number of systems reviewed.                           1        4\n\n  3. Identify all material weakness in policies, procedures, or practices as identified and\n     required to be reported under existing law. (Section 3534(c)(1)-(2) of the Security Act.)\n     Identify the number of reported material weaknesses for FY 01 and FY 02, and the\n     number of repeat weaknesses in FY02.\n\n                                                                      FY01     FY02\n       a. Number of material weaknesses reported.                      0        0\n       b. Number of material weaknesses repeated in FY02.              0        0\n\n\nB. Responsibilities of Agency Head\n\n  1. Identify and describe any specific steps taken by the agency head to clearly and\n     unambiguously set forth the Security Act\xe2\x80\x99s responsibilities and authorities for the agency\n     CIO and program officials. Specifically how are such steps implemented and enforced?\n     Can a major operating component of the agency make an IT investment decision without\n     review by and concurrence of the agency CIO?\n\n              In February 2002, the Executive Director issued an instruction to all staff\n              outlining the security responsibilities of the CIO, Offices of Primary\n              Interest, and Information Security Officer. NCUA also drafted a document\n              with Information Security Procedures. The goal of this document is to\n              establish the procedures used by NCUA to create and maintain an\n              agency-wide security plan. This plan will provide the basis for a high-level\n              oversight of all security efforts, ensure that all security measures are well\n              coordinated, and will provide an operating framework for all more specific\n              security plans.\n\n\n\n\n                                             5\n\x0c                 NATIONAL CREDIT UNION ADMINISTRATION\n                       OFFICE OF INSPECTOR GENERAL\n             OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n           GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                       2002\n           The CIO and Deputy Executive Director (DED) met periodically throughout\n           the year to discuss progress with GISRA compliance.\n\n           Although business managers have discretionary budget authority over\n           their respective operations, the final integration of systems at NCUA is\n           monitored and approved by the CIO. In addition, major acquisitions are\n           evaluated and monitored by the Information Technology Oversight\n           Committee for the strategic integration into NCUA\xe2\x80\x99s enterprise\n           architecture.\n\n2. How does the head of the agency ensure that the agency\xe2\x80\x99s information security plan is\n   practiced throughout the life cycle of each agency system? (Sections 3533(a)(1)(A)-(B),\n   (b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the Security Act.) During the reporting period, did\n   the agency head take any specific and direct actions to oversee the performance of 1)\n   agency program officials and 2) the CIO to verify that such officials are ensuring that\n   security plans are up-to-date and practiced throughout the lifecycle of each system?\n\n           In February 2002, the Executive Director issued an instruction to all staff\n           outlining the security responsibilities of the CIO, Offices of Primary\n           Interest, and Information Security Officer. The agency head delegated\n           the oversight of the agency\xe2\x80\x99s security program to the DED who was\n           periodically briefed by the CIO on the progress of the agency\xe2\x80\x99s information\n           security program and the implementation of security plans throughout the\n           lifecycle of each system.\n\n           In addition, results from independent reviews and audits are\n           communicated to the Office of the Executive Director (OED). The DED is\n           the agency\xe2\x80\x99s audit follow-up official whose responsibility is to ensure that\n           appropriate corrective action is taken on findings.\n\n3. How has the agency integrated its information and information technology security\n   program with its critical infrastructure protection responsibilities, and other security\n   programs (e.g., continuity of operations, and physical and operational security)?\n   (Sections 3534 (a)(1)(B) and (b)(1) of the Security Act.) Does the agency have separate\n   staffs devoted to other security programs, are such programs under the authority of\n   different agency officials, if so what specific efforts have been taken by the agency head\n   or other officials to eliminate unnecessary duplication of overhead costs and ensure that\n   policies and procedures are consistent and complimentary across the various programs\n   and disciplines?\n\n\n\n\n                                          6\n\x0c                NATIONAL CREDIT UNION ADMINISTRATION\n                      OFFICE OF INSPECTOR GENERAL\n            OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n          GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                      2002\n          Although NCUA does not have any critical infrastructure protection\n          responsibility, NCUA integrated most of its security responsibilities in the\n          agency-wide information technology security program. However, the\n          physical security program requires integration into the overall security\n          program at NCUA.\n\n          Since NCUA is a small agency, there is only one individual with\n          responsibility for the agency information security program that reports\n          exclusively to the CIO. There is no additional staff devoted solely to the\n          security program.\n\n4. Has the agency undergone a Project Matrix review? If so, describe the steps the agency\n   has taken as a result of the review. If no, describe how the agency identifies its critical\n   operations and assets, their interdependencies and interrelationships, and how they\n   secure those operations and assets. (Sections 3535(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6)\n   and 3534(a)(C) of the Security Act.)\n\n          NCUA was not required to undergo a Project Matrix review. However,\n          NCUA management identified systems as those that are supported by\n          OCIO and/or used to support agency operations. Of these nineteen\n          systems, NCUA determined seven have high criticality for supporting\n          agency operations. The CIO and OED plan to perform an annual review\n          of systems and note any additions, disposals, or changes in criticality.\n\n5. How does the agency head ensure that the agency, including all components, has\n   documented procedures for reporting security incidents and sharing information\n   regarding common vulnerabilities? Identify and describe the procedures for external\n   reporting to law enforcement authorities and to the General Services Administration\xe2\x80\x99s\n   Federal Computer Incident Response Center (FedCIRC). Identify actual performance\n   according to the measures and the number of incidents reported in the format provided\n   below. (Section 3534(b)(2)(F)(i)-(iii) of the Security Act.)\n\n          A formal incident response capability has been documented, but is not yet\n          implemented. NCUA needs to finalize the incident response policies and\n          procedures and implement them. Because NCUA does not have an\n          intrusion detection system, it is difficult for the agency to determine if there\n          were any incidents or attempted breaches in security. NCUA has\n          budgeted for and plans to deploy an intrusion detection system by the end\n          of 2002.\n\n    a. Total number of agency components                              1\n       including bureaus, field activities.\n    b. Number of agency components with                               1\n       incident handling and response\n       capability.\n\n\n                                           7\n\x0c                   NATIONAL CREDIT UNION ADMINISTRATION\n                         OFFICE OF INSPECTOR GENERAL\n               OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n             GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                         2002\n       c. Number of agency components that                     1\n          report to FedCIRC.\n       d. Does the agency and its major         NCUA did not report any\n          components share incident             incidents to FedCIRC\n          information with FedCIRC in a timely  during this reporting cycle.\n          manner consistent with FedCIRC and\n          OMB guidance?\n       e. What is the required average time to  NCUA did not report any\n          report to the agency and FedCIRC      incidents to FedCIRC\n          following an incident?                during this reporting cycle.\n       f. How does the agency, including the    Currently, the Information\n          programs within major components,     Security Officer has an\n          confirm that patches have been tested informal process for\n          and installed in a timely manner?     overseeing the patch\n                                                process. NCUA is in the\n                                                process of implementing\n                                                formal procedures that will\n                                                identify and track the testing\n                                                and installation of patches.\n\n                                                                   FY01       FY02\n       g. By agency and individual component, number of             0          0\n          incidents (e.g., successful and unsuccessful\n          network penetrations, root or user account\n          compromises, denial of service attacks, website\n          defacing attacks, malicious code and virus,\n          probes and scans, password access) reported\n          by each component\n       h. By agency and individual component, number of              0          0\n          incidents reported externally to FedCIRC or law\n          enforcement.\n\nC. Responsibilities of Agency Program Officials\n\n   1. Have agency program officials: 1) assessed the risk to operations and assets under their\n      control; 2) determined the level of security appropriate to protect such operations and\n      assets; 3) maintained an up-to-date security plan (that is practiced throughout the life\n      cycle) for each system supporting the operations and assets under their control; and 4)\n      tested and evaluated security controls and techniques? (Section 3534(a)(2) of the\n      Security Act.)\n\n             Most program officials have performed risk assessments using NIST 800-\n             26 and developed security plans for each of the systems under their\n             control. Of the nineteen systems identified at NCUA, eighteen of them\n\n\n                                            8\n\x0c                           NATIONAL CREDIT UNION ADMINISTRATION\n                                  OFFICE OF INSPECTOR GENERAL\n                        OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n                      GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                                  2002\n                      had security plans and risk assessments at the time of our review.\n                      However, program officials have not tested and evaluated controls o f their\n                      respective systems.\n\n                   NATIONAL CREDIT UNION ADMINISTRATION                    TOTAL\n                                                                         NUMBER OF\n                                                                          SYSTEMS\n              TOTAL NUMBER OF AGENCY SYSTEMS                                   19\n\n      By each major agency component and aggregated into an agency total, from last year\xe2\x80\x99s\n      report (FY01) and this reporting period (FY0 2) identify actual performance according to the\n      measures and in the format provided below for the number and percentage of total systems.\n\n                          NATIONAL CREDIT UNION ADMINISTRATION\n                                                                 FY01   FY01   FY02    FY02\n                                                                  #       %     #       %\n              a.    Systems that have been assessed for           0      0%     18     95%\n                    risk.\n              b.    Systems that have been assigned a             0     0%      4      21%\n                    level of risk after a risk assessment has\n                    been conducted (e.g., high, medium, or\n                    basic).\n              c.    Systems that have an up -to-date              0     0%      18     95%\n                    security plan.\n              d.    Systems that have been authorized for         0     0%      0       0%\n                    processing following certification and\n                    accreditation.\n              e.    Systems that are operating without            7     100%    1       5%\n                    written authorization (including the\n                    absence of certification and\n                    accreditation).\n              f.    Systems that have the costs of their          0     0%      01      0%\n                    security controls integrated into the life\n                    cycle of the system.\n              g.    Systems for which security controls           1     14%     4      21%\n                    have been tested and evaluated in the\n                    last year.\n              h.    Systems that have a contingency plan.         1     14%     2      11%\n              i.    Systems for which contingency plans           1     14%     1      5%\n                    that have been tested in past year.\n\n\n1\n    See D3.\n\n\n                                                    9\n\x0c                 NATIONAL CREDIT UNION ADMINISTRATION\n                     OFFICE OF INSPECTOR GENERAL\n              OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n             GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2002\n   2. For operations and assets under their control, have agency program officials used\n      appropriate methods (e.g., audits or inspections) to ensure that contractor provided\n      services (e.g., network or website operations) or services provided by another agency\n      for their program and systems are adequately secure and meet the requirements of the\n      Security Act, OMB policy and NIST guidance, national security policy, and agency\n      policy? Identify actual performance according to the measures and in the format\n      provided below. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the\n      Security Act.)\n\n             Other agencies or contractors maintain five systems used by NCUA.\n             Program officials relied on external agencies and contractors to meet all\n             applicable federal security requirements and assumed that their systems\n             are secure. Program officials have not requested any evidence to support\n             these assumptions, and therefore have not applied an appropriate level of\n             due diligence to ensure these systems and services are adequately\n             secure.\n\n                  NATIONAL CREDIT UNION ADMINISTRATION\n                                                                  FY01          FY02\n       a. Number of contractor operations or facilities.           5             5\n       b. Number of contractor operations or facilities reviewed.  0             0\n\n\nD. Responsibilities of Agency Chief Information Officers\n\n   1. Has the agency CIO: 1) adequately maintained an agency-wide security program; 2)\n      ensured the effective implementation of the program and evaluated the performance of\n      major agency components; and 3) ensured the training of agency employees with\n      significant security responsibilities? Identify actual performance according to the\n      measures and in the format provided below. (Section 3534(a)(3)-(5)) and (Section\n      3534(a)(3)(D), (a)(4), (b)(2)(C)(i)-(ii) of the Security Act.)\n\n             The CIO developed and had oversight over the agency- wide security\n             program and ensured effective implementation by working with program\n             officials. The CIO and Security Officer assisted agency program officials\n             with their risk assessments and security plans.\n\n             During the course of the year, the Security Officer has attended security\n             seminars that have enhanced the ability of the Security Officer to\n             implement the agency wide security program. Other OCIO employees\n             who are responsible for implementing technical security controls have\n             attended various technical security seminars throughout the year. In\n             August 2002, the Security Officer provided security awareness training to\n             most employees at a bi-annual NCUA sponsored conference. However,\n             new non-examiner employees and contractors with access to NCUA\xe2\x80\x99s\n\n\n                                          10\n\x0c             NATIONAL CREDIT UNION ADMINISTRATION\n                   OFFICE OF INSPECTOR GENERAL\n         OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n       GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                     2002\n       information technology resources did not receive any security training.\n       The Security Officer\xe2\x80\x99s training at the conference was video taped and will\n       be used for training new users of NCUA\xe2\x80\x99s information technology\n       resources in the future.\n\n                                             FY01                    FY02\na.   Other than GAO or IG audits              0                       1\n     and reviews, how many\n     agency components and field\n     activities received security\n     reviews?\nb.   What percentage of                      0%                       5%\n     components and field\n     activities have had such\n     reviews?\nc.   Number of agency employees             1477                     1451\n     including contractors.\nd.   Number and percentage of                 7                      1094\n     agency employees including              0%                      75%\n     contractors that received\n     security training.\ne.   Number of employees with                 7                        16\n     significant security\n     responsibilities.\nf.   Number of employees with                 7                       16\n     significant security                   100%                     100%\n     responsibilities that received\n     specialized training.\ng.   Briefly describe what types of Technical seminars,      Technical seminars,\n     security training were         conferences, and in-     conferences, and in-\n     available.                     house training           house training\nh.   Total costs for providing             $2,700                   $1,500\n     training described in (g).\n\ni.   Do agency POA&Ms account for all known         No, results from the\n     agency security weaknesses including of all    CHRIS Audit, 2001\n     components and field activities? If no, why    Financial Audit, and\n     not?                                           Penetration Test were\n                                                    not included in the\n                                                    POA&M.\nj.   Has the CIO appointed a senior agency                    Yes\n     information security official?\n\n\n\n\n                                  11\n\x0c               NATIONAL CREDIT UNION ADMINISTRATION\n                   OFFICE OF INSPECTOR GENERAL\n            OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n           GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                2002\n2. For operations and assets under their control (e.g., network operations), has the agency\n   CIO used appropriate methods (e.g., audits or inspections) to ensure that contractor\n   provided services (e.g., network or website operations) or services provided by another\n   agency are adequately secure and meet the requirements of the Security Act, OMB\n   policy and NIST guidance, national security policy, and agency policy? Identify actual\n   performance according to the measures and in the format provided below. (Sections\n   3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the Security Act.)\n\n           NCUA utilizes agency employees to informally monitor contractors that\n           supplement NCUA\xe2\x80\x99s information technology staff. In addition, a contractor\n           maintains the backup storage facility. Program officials have assumed\n           that the backup storage facility contractor met federal regulatory\n           requirements and have not applied an appropriate level of due diligence to\n           ensure that these services are adequately secure.\n\n\n                                                                           FY01    FY02\n    a. Number of contractor operations or facilities.                        1       1\n    b. Number of contractor operations or facilities reviewed.               0       0\n\n3. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and\n   investment control process? Were security requirements and costs reported on every\n   FY03 capital asset plan (as well as in the exhibit 53) submitted by the agency to OMB?\n   If no, why not? Identify actual performance according to the measures and in the format\n   provided below. (Sections 3533(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the\n   Security Act.)\n\n           Although NCUA is not required to complete a capital asset plan with its\n           budget submission to OMB, NCUA intends to incorporate security with its\n           strategic plan and enterprise architecture. Since a significant portion of\n           NCUA\xe2\x80\x99s information security is handled by the infrastructure, NCUA has\n           not taken any steps to integrate security funding at the system level.\n\n                                                                        FY03        FY04\n                                                                       Budget      Budget\n                                                                      Materials   Materials\n    a.   Number of capital asset plans and justifications submitted      N/A         N/A\n         to OMB?\n    b.   Number of capital asset plans and justifications submitted     N/A         N/A\n         to OMB without requisite security information and costs?\n    c.   Were security costs reported for all agency systems on         N/A         N/A\n         the agency\xe2\x80\x99s exhibit 53?\n    d.   Have all discrepancies been corrected?                         N/A         N/A\n    e.   How many have the CIO/other appropriate official               N/A         N/A\n         independently validated prior to submittal to OMB?\n\n\n\n\n                                             12\n\x0c                 NATIONAL CREDIT UNION ADMINISTRATION\n                     OFFICE OF INSPECTOR GENERAL\n              OIG REPORT TO OMB ON NCUA COMPLIANCE WITH\n             GOVERNMENT INFORMATION SECURITY REFORM ACT\n                                  2002\n\n ATTACHMENTS\n\nExhibit 1:\nIndependent Evaluation of NCUA\xe2\x80\x99s Information Security Program Required by the\nGovernment Information Security Reform Act\n       Executive Summary,\n       Objectives, Scope, and Methodology,\n       Consolidated Summary Report\n\nExhibit 2:\nFinancial Statement Audit 2001\n       Executive Summary and Observations and Recommendations\n\nExhibit 3:\nEvaluation of Project Risks Associated with Upgrade to Comprehensive Human\nResources Integrated System\n       Executive Summary\n\n\n(Attachments transmitted separately.)\n\n\n\n\n                                        13\n\x0c'